Advertising

Remember ipa-getcert is just a shortcut for certificates using the
certmonger CA named IPA, so it's more a filter than anything else. I
don't know why it wouldn't display any output but I'd file a bug.
I think we'd need to see the getcert list output to try to figure out
what is going on.
As for the SSL error fetching the cert chain I think Martin may be onto
something. The request is proxied through Apache. I think the client
here might be the Apache proxy client.
I believe this command replicates what Apache is doing, you might give
it a try on the master. This will get the chain directly from dogtag,
bypassing Apache:
$ curl -v --cacert /etc/ipa/ca.crt
https://`hostname`:9444/ca/ee/ca/getCertChain
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project